# Extra set of common parsers [PARSER] # http://rubular.com/r/cCVd1HLCAO Name crowbar Format regex Regex ^.*\[(?[^ ][-.\d\+:]+T[:\d]*)([^\]])*?\]\s+?(?[^ ]\w+)([\s-]*):?\s+(?.*) Time_Format %Y-%m-%dT%H:%M:%S Time_Keep Off Time_Key log_time [PARSER] # http://rubular.com/r/frDgnElXW9 Name chefclient Format regex Regex ^\[(?[^ ][-.\d\+:]+T[:\d]*)([^\]])*?\]\s+(?[^ ]\w+):\s+(?.*)$ Time_Format %Y-%m-%dT%H:%M:%S Time_Keep Off Time_Key log_time [PARSER] Name mysql_error Format regex #Regex ^(?[^ +][ -:0-9TZ]+|[[:upper:]][[:lower:]]{2})(\+\d+:\d+[TZ]*){0,1}\s*(?[^ ]\d+)\s+\[(?[^ ]\w+)\](\s+(?[^ ]\w+):){0,1}\s+(?.*)$ Regex ^(?[^ +][-\d]+[\ T]*[:\dZ]+)\s*(?[^ ]\d+)\s+\[(?[^ ]\w+)\](\s+(?[^ ]\w+):){0,1}\s+(?.*)$ Time_Format %Y-%m-%d %H:%M:%S Time_Keep Off Time_Key log_time [PARSER] Name mysql_slow Format regex Regex ^# User\@Host:\s+(?[^\@][\w\[\]]+)[@\s]+(?[^ ][-.\w]+)\s+(\[(?[.\d]+)\]){0,1}\s+(?.*)$ [PARSER] Name pacemaker Format regex Regex ^\s*(?[^ ]* {1,2}[^ ]* [^ ]*) \[(?\d+)\] (?[\-\w]*)\s*(?\w*):\s+(?\w+):\s+(?.*)$ #Time_Format %Y-%m-%dT%H:%M:%S Time_Format %b %d %H:%M:%S Time_Keep Off Time_Key log_time #Types pid:integer [PARSER] Name rabbitmq Format regex Regex ^=(?[^ ]\w+)\s+REPORT[=\s]*(?[^ =][-:.\d\w]+)[\s=]+(?.*)$ Time_Format %d-%b-%Y::%H:%M:%S Time_Keep Off Time_Key log_time [PARSER] Name http_statement Format regex Regex ^.*((?GET|POST|PUT|DELETE|CONNECT|OPTIONS|HEAD[^ ]\w+)\s*(?[^ ][-._?=%&\/[:alnum:]]*)\s*(?[^ ][.\/\dHTFSP]+){0,1})(['"\s]*){0,1}((\s*status:\s*(?[^ ]\d+)){0,1}(\s*len:\ (?[^ ]\d+)){0,1}(\s*time:\s*(?[^ ][.\d]+)){0,1}(\s*microversion:\s*(?[^ ][.\d]+)){0,1}){0,1}$ [PARSER] Name universal Format regex Regex ^(?.*)$ [PARSER] Name uuid Format regex Regex (?[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[1-5][0-9a-fA-F]{3}-[89abAB][0-9a-fA-F]{3}-[0-9a-fA-F]{12}) #UUID v1 : #/^[0-9A-F]{8}-[0-9A-F]{4}-[1][0-9A-F]{3}-[89AB][0-9A-F]{3}-[0-9A-F]{12}$/i #UUID v2 : #/^[0-9A-F]{8}-[0-9A-F]{4}-[2][0-9A-F]{3}-[89AB][0-9A-F]{3}-[0-9A-F]{12}$/i #UUID v3 : #/^[0-9A-F]{8}-[0-9A-F]{4}-[3][0-9A-F]{3}-[89AB][0-9A-F]{3}-[0-9A-F]{12}$/i #UUID v4 : #/^[0-9A-F]{8}-[0-9A-F]{4}-[4][0-9A-F]{3}-[89AB][0-9A-F]{3}-[0-9A-F]{12}$/i #UUID v5 : #/^[0-9A-F]{8}-[0-9A-F]{4}-[5][0-9A-F]{3}-[89AB][0-9A-F]{3}-[0-9A-F]{12}$/i # Parse IP Tables rules - this one regex should capture pretty much any IP Tables rule and split it into the various fields [PARSER] Name iptables Format regex Regex \[(?\w*)-(?\w*)-(?\w*)\]IN=(?[\w.]+)? OUT=(?[\w.]+)? MAC=(?[\w:]+)? SRC=(?(?:[0-9]{1,3}\.){3}[0-9]{1,3}) DST=(?(?:[0-9]{1,3}\.){3}[0-9]{1,3}) LEN=(?\d+) TOS=(?[\w\d]+) PREC=(?[\w\d]+) TTL=(?\d+) ID=(?\d+)\s?(?[A-Z\s].?)\s?PROTO=(?[\w\d]+) (SPT=(?.*) DPT=(?.*) (LEN=(?\w+)?)?(WINDOW=(?\d+) RES=(?\w+)? (?\w+)\s((?\w+)?)\s?URGP=(?\d))? )?(TYPE=(?\d+) CODE=(?\d+) ID=(?\d+) SEQ=(?\d+) )?$ Types source_port:integer,dest_port:integer,pkt_ttl:integer,pkt_tos:integer,pkt_len:integer # Various parsers for Couchbase Server logs [PARSER] Name couchbase_json_log_nanoseconds Format json Time_Key timestamp Time_Format %Y-%m-%dT%H:%M:%S.%L Time_Keep On # Do not remove the time field from the output we ship [PARSER] Name couchbase_rebalance_report Format json Time_Key timestamp Time_Format %Y-%m-%dT%H:%M:%SZ Time_Keep On # The level may have optional brackets around it [PARSER] Name couchbase_simple_log Format regex Regex ^(?\d+-\d+-\d+T\d+:\d+:\d+\.\d+(\+|-)\d+:\d+)\s+\[(?\w+)\](?.*)$ Time_Key timestamp Time_Format %Y-%m-%dT%H:%M:%S.%L%z Time_Keep On [PARSER] Name couchbase_simple_log_space_separated Format regex Regex ^(?\d+-\d+-\d+T\d+:\d+:\d+\.\d+(\+|-)\d+:\d+)\s+(?\w+)\s+(?.*)$ Time_Key timestamp Time_Format %Y-%m-%dT%H:%M:%S.%L%z Time_Keep On # Slight change in time format to use Z at end instead of offset: # 2021-03-09T17:32:02.136Z INFO ... # https://rubular.com/r/EpG3M1dHb5AnTC [PARSER] Name couchbase_simple_log_utc Format regex Regex ^(?\d+-\d+-\d+T\d+:\d+:\d+\.\d+Z)\s+(?\w+)(?.*)$ Time_Key timestamp Time_Format %Y-%m-%dT%H:%M:%S.%LZ Time_Keep On # Cope with two different log formats, e.g.: # 2021/03/09 17:32:15 cbauth: ... # 2021-03-09T17:32:15.303+00:00 [INFO] ... # https://rubular.com/r/XUt7xQqEJnrF2M [PARSER] Name couchbase_simple_log_mixed Format regex Regex ^(?\d+(-|/)\d+(-|/)\d+(T|\s+)\d+:\d+:\d+(\.\d+(\+|-)\d+:\d+|))\s+((\[)?(?\w+)(\]|:))(?.*)$ Time_Key timestamp Time_Keep On # We cannot parse the time as different formats directly, it could be done downstream and/or left as current time [PARSER] Name couchbase_erlang_multiline Format regex # For some reason this cannot parse an ending close bracket ] followed by a new line immediately #Regex \[(?\w+):(?\w+),(?\d+-\d+-\d+T\d+:\d+:\d+.\d+Z),.*\](?.*)$ Regex \[(?\w+):(?\w+),(?\d+-\d+-\d+T\d+:\d+:\d+.\d+Z),(?.*)$ Time_Key timestamp Time_Format %Y-%m-%dT%H:%M:%S.%L Time_Keep On # 2021-03-09T17:32:25.339+00:00 INFO CBAS.bootstrap.AnalyticsNCApplication [main] ... # https://rubular.com/r/9jh1oKtXBN5GEV # Can include an exception stack trace or a thread dump as well but ignoring these for now [PARSER] Name couchbase_java_multiline Format regex Regex ^(?\d+-\d+-\d+T\d+:\d+:\d+\.\d+(\+|-)\d+:\d+)\s+(?\w+)\s+(?.*)\s+\[(?.*)\]\s+(?.*)$ Time_Key timestamp Time_Format %Y-%m-%dT%H:%M:%S.%L%z Time_Keep On # A slight modification of the usual Apache/Apache2 parsers [PARSER] Name couchbase_http Format regex Regex ^(?[^ ]*) [^ ]* (?[^ ]*) \[(?[^\]]*)\] "(?\S+)(?: +(?[^ ]*) +\S*)?" (?

[^ ]*) (?[^ ]*) - (?.*)$
    Time_Key     timestamp
    Time_Format %d/%b/%Y:%H:%M:%S %z
    Time_Keep    On

# End of Couchbase Server parsers